Professional Documents
Culture Documents
Usb Threat REPORT 2020: Honeywell Industrial Cybersecurity
Usb Threat REPORT 2020: Honeywell Industrial Cybersecurity
Usb Threat REPORT 2020: Honeywell Industrial Cybersecurity
INDUSTRIAL
CYBERSECURITY
USB THREAT
REPORT 2020
TABLE OF
CONTENTS
2 Overview
3 Methodology
4 Key Findings
4 USB Remains a Top Threat Vector
4 USB-Borne Malware: A High-Potency Threat
5 High Concentration of USB-Specific Threats
5 USB Borne Threats Are More Dangerous Than Ever
6 Threat Patterns Appear Unique to OT
6 Are USB Borne Threats Targeting OT Systems Directly?
7 Improved Hygiene, Higher Risk
7 What’s in a Name?
7 The Tip of the USB-berg
8 Catching Missed Malware
9 Security Implications for Operators
10 Conclusion: More Research is Needed
11 Glossary
A glossary of terms used in this report is offered at the end of this document.
28%
While the GARD Threat Engine is used across multiple Honeywell Industrial
Cybersecurity products and services, the data for this report was limited to those
threats detected by Honeywell’s USB security platform: Honeywell Secure Media
Exchange (SMX). SMX analyzes USB devices as they are actively used in industrial Targeted ICS (including
facilities, providing a highly focused view of critical infrastructure USB activity. ransomware) (up from 16%)
19%
All data collected from SMX, and all data from GARD is anonymous with no
personally identifiable information (PII), and only a sample set of all SMX data
collected over a 12 month period was analyzed. Due to concerns of confidentiality,
no details concerning the collection points have been provided. Designed to exploit
USB (up from 9%)
Industries represented include Oil and Gas, Energy, Food, Chemical, Shipping,
Buildings, Aerospace, Manufacturing, Pulp and Paper, and other industrial facilities.
No detailed correlation to region, nor detail by industry, has been provided here,
in an effort to further preserve data anonymity. Data was collected from over 60
15%
countries across North America, South America, Europe, the Middle East, and Are well-known threats
Asia. This sample set represents only files actively carried into production control (No Change)
facilities via USB removable storage devices, during normal day-to-day operations.
The data represents those files that were detected and blocked.
However, the impact of the malware found increased significantly since the first
report even if the overall concentration of malware remained steady. In 2018,
14% of total threats detected were known to have been developed specifically to
target industrial systems, leveraging a specific vulnerability in industrial devices
or protocols. This dropped slightly to 11%. However, a staggering 59% of total
threats in our latest study had the ability to impact industrial control and process
automation systems, up from just 26%. This directly correlates to the increase in
ransomware, which was up from 7% to 17%. Ransomware was not considered “OT
specific” unless it specifically targeted an industrial device or protocol, and thus did
not contribute to the 11% figure. However, the increase in ransomware seen in OT
indicates that industrial corporations are being targeted by ransomware, even if the
ransomware itself is not OT-specific. If we include ransomware, the rate of threats
targeting OT actually doubles from 14% to 28%.
TROJAN VIRUS
68% 6%
OLD NEW
78%
TROJANS,
17% OTHERS 11% OTHERS VIRUSES,
3% WORMS WORMS, AND
1% WORMS ROOTKITS
1% ROOTKITS
2% ROOTKITS
3% VIRUS 6% VIRUS
5% PUA 5% PUA
4% BOTS
11% BOTS BOTS, PUAs,
2% HACKTOOLS
6% HACKTOOLS HACKTOOLS,
AND OTHERS
55% TROJAN 68% TROJAN
22%
This is an indication that USB devices are an increasingly popular vector for
malware infection and propagation, and even more so in OT versus IT. This
poses a significant threat against industrial environments, which depend
on USB removable media for regular operations. One can easily infer that
this is intentional, and that the dependence on removable media in these
environments represents a growing vulnerability against such attacks.
This is no surprise with several recent media reports of ransomware attacks impacting
industrial companies. Targets have been as diverse as industrial processors of petroleum,
metals, paper and renewable energy, and have included all aspects of industrial operations
including mining, manufacturing, transportation and shipping.
https://securelist.com/usb-threats-from-malware-to-miners/87989/
1
2
https://www.zdnet.com/article/cyber-crime-ransomware-attacks-have-more-than-doubled-this-year/
59 26% to 59%
Attacks endangering OT
3
https://securelist.com/usb-threats-from-malware-to-miners/87989/
WHAT’S IN A NAME?
This report focuses on threats that were successfully detected and blocked from
entering industrial facilities. However, there are numerous ways for malware POTENTIALLY
to evade detection, and there is obviously no way to quantify or analyze those UNWANTED
threats that weren’t detected. One example of evasion includes using filesystem APPLICATIONS (PUAS),
or boot sector irregularities on removable media in order to avoid detection. The NON-TARGETED-
GARD research team encountered numerous instances where media contained
BOTS, ADWARE,
irregular, illegal, unsupported, or otherwise suspicious file systems and directory
SPYWARE AND
structures. It is believed this is mostly indicative of the older technology that is
still in use in many industrial environments. Most commodity USB removable HACKTOOLS DOWN
17%
storage devices were not built to last, and older media are prone to device
errors or failures that cause these same irregularities. While there is no way
to differentiate between a legitimate irregularity and an evasion attempt, it
is worth mentioning as a potential risk. Especially where USB media is used
for critical tasks (such as backups or storage of important files), upgrading to
newer, professional grade media is recommended (see ‘Security Implications for
Operators’). While the good news is that the GARD Threat Engine ‘excludes’ these
files by default (meaning those files are assumed untrustworthy, and therefore
not allowed to be accessed), no data is currently captured for these excluded files,
preventing further analysis. Additional research is being planned in this area.
Despite the fact that many threats have been known for some time, 5% of
the total threats discovered by SMX were completely undetectable by all
commercial anti-malware solutions tested.
This is consistent with the original findings from the 2018 USB Threat Report.
Interestingly, it was noted that in several cases a particular threat was only detected
by one or two less-known software solutions. Narrowing the results to the anti-
malware vendors (based on market share) with a larger presence in OT markets,
we found that 20% of the threats analyzed went undetected, up from 11% in the
previous report. With a higher prevalence of newer threats (5% being less than one
week old), and clear indications of high-impact, targeted threats against industrials
originating form USB removable media, this remains a concern. Many industrial
organizations update anti-virus signatures less frequently, due to the limited
availability of maintenance windows where such updates can occur, which can
further increase the risk of depending solely on commercial AV scanning.
SMX improves detection performance using the GARD Threat Engine, which
includes a variety of advanced threat detection and threat intelligence technologies
and methods. While these report findings indicate that The GARD Threat Engine
is performing well, the severity of the threats discovered warrants the use of
additional security measures for true defense-in-depth (see “Security Implications
for Operators”).
• USB security must include technical controls and enforcement. Relying on policy
updates or people training alone will not suffice for scalable threat prevention.
Despite the seeming widespread belief that USB drives are dangerous, and
despite the prevalence of corporate USB usage policies, the data provides ample
evidence that the threat of USB-borne malware is still increasing.
• Patching and hardening of end nodes remains necessary, despite the challenges
of patching production systems. While sophisticated and targeted attacks were
detected, many old threats were identified and could be easily mitigated by
simply keeping the infrastructure current. Hardening of OT systems is also a key
contribution to improving incident MTTR.
3/5
THREATS DETECTED
WERE CAPABLE
OF DISRUPTING
OT OPERATIONS